In the wake of 12 data breaches reported in 2018, Facebook’s parent company hit with hefty fine for failing to follow GDPR regulations related to its ability to demonstrate data privacy protection practices. Credit: Olivier Le Moal / Getty Images The Republic of Ireland’s Data Protection Commission (DPC) has fined Facebook parent company Meta €17 million (US$18.6 million) for violating multiple articles of the GDPR (General Data Protection Regulation) related to a series of 12 data breach notifications that occurred in the latter half of 2018.The GDPR is an EU regulation that sets comparatively strict standards for the management, processing and protection of user data that went into effect in May 2018. Specifically, the DPC stated, the company failed to institute measures that would allow it to demonstrate compliance with GDPR regulations, under Articles 5(2) and 24(1).“The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches,” the DPC said. The practices under examination by the DPC involved cross-border processing of personal data, and so according to GDPR rules, all of the other European supervisory authorities were consulted, the DPC added. The GDPR applies to almost all companies that handle the personal data of European residents, or have a physical presence in an EU country. Information explicitly covered by the GDPR includes names and addresses, health data, web identifiers like cookies, racial data, sexual orientation and political opinions. Critically, it also applies to third-party vendors providing services to companies subject to the law — meaning they have to be GDPR-compliant, as well, in order to avoid fines for the company directly subject to the law.GDPR fines are determined by a multifactor legal test, which takes into account the gravity and nature of the infraction, whether it was intentional or negligent, what category of data was affected and more. Specific guidelines are provided for offenses under certain chapters of the GDPR, which are capped at either €10 million or 2% of a company’s worldwide income from the previous year, whichever is higher, for lesser infractions, or €20 million or 4% of last year’s income for more serious violations. The €17m fine levied against Meta is the 11th largest ever handed out for violating the GDPR, according to list maintained by email security vendor Tessian. While the fine pales in comparison to the largest ever handed out — that distinction belongs to a €746 million levy against Amazon in 2021, for violating cookie handling policies — the Meta family of companies has previously earned larger fines than the one announced today, including a €255 million penalty for insufficiently well-defined privacy policies at WhatsApp issued by Ireland in 2021, and €60 million in June 2021 from French authorities for failing to obtain proper cookie consent from Facebook users. Related content news CISA inks 68 tech vendors to secure-by-design pledge — but will it matter? CISA’s pledge drew some big names, but the impact on software security could be limited. Meanwhile the org has extended its comment period on the CIRCIA cyberattack reporting law. By Jon Gold May 10, 2024 4 mins Regulation Technology Industry Security Practices news Google Chrome gets a patch for actively exploited zero-day vulnerability Details of the use-after-free memory vulnerability were not publicly released, but Google says it’s aware an exploit for the bug exists. By Lucian Constantin May 10, 2024 3 mins Threat and Vulnerability Management Zero-day vulnerability Vulnerabilities news Dell data breach exposes data of 49 million customers The company says the breach compromised non-critical customer data and involved no sensitive personal or financial information. By Shweta Sharma May 10, 2024 3 mins Data Breach Hacking feature Social engineering: Definition, examples, and techniques Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data. Train yourself to spot the signs. By Josh Fruhlinger May 10, 2024 15 mins Phishing Social Engineering PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe